b" Department of Health and Human Services\n                   OFFICE OF\n              INSPECTOR GENERAL\n\n\n\n\nREVIEW OF MEDICARE CONTRACTOR\n     INFORMATION SECURITY\n   PROGRAM EVALUATIONS FOR\n       FISCAL YEAR 2012\n\n    Inquiries about this report may be addressed to the Office of Public Affairs at\n                             Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                                  Daniel R. Levinson\n                                                   Inspector General\n\n                                                       July 2014\n                                                     A-18-14-30100\n\x0c                        Office of Inspector General\n                                         https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at https://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                      EXECUTIVE SUMMARY\n\n Independent evaluations of the Medicare contractor information security program were\n adequate in scope and were sufficient. The Centers for Medicare & Medicaid Services\n should continue efforts to ensure that all Medicare contractor findings are remediated.\n\nWHY WE DID THIS REVIEW\n\nEach Medicare contractor must have its information security program evaluated annually by an\nindependent entity. These evaluations must address the eight major requirements enumerated in\nthe Federal Information Security Management Act of 2002 (FISMA). The Social Security Act\n(the Act) also requires evaluations of the information security controls for a subset of systems\nbut does not specify the criteria for these evaluations. The Inspector General, Department of\nHealth and Human Services, must submit to Congress annual reports on the results of these\nevaluations, to include assessments of their scope and sufficiency. This report fulfills that\nresponsibility for fiscal year (FY) 2012.\n\nOur objectives were to assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and report the results of those evaluations and assessments.\n\nBACKGROUND\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 added to the Act\ninformation security requirements for Medicare administrative contractors (MACs), fiscal\nintermediaries, and carriers, which process and pay Medicare fee-for-service claims. To comply\nwith these requirements, the Centers for Medicare & Medicaid Services (CMS) contracted with\nPricewaterhouseCoopers (PwC) to evaluate information security programs at the MACs, fiscal\nintermediaries, and carriers using a set of agreed-upon procedures.\n\nThe Act also requires evaluations of the information security controls for a subset of systems but\ndoes not specify the criteria for these evaluations. To satisfy this requirement, CMS expanded\nthe scope of its evaluations to test segments of the Medicare claims processing systems hosted at\nthe Medicare data centers, which support each of the MACs, fiscal intermediaries, and carriers.\n\nWHAT WE FOUND\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs were adequate in scope and\nwere sufficient. PwC reported a total of 159 gaps at 10 Medicare contractors for FY 2012, which\nwas 45 percent greater than the number of gaps for the same 10 contractors in FY 2011. The\nincrease in the number of gaps was due to the addition of four test procedures and the expansion\nof eight test procedures as required by CMS. Gaps are defined as the differences between\nFISMA or CMS core security requirements and the contractors\xe2\x80\x99 implementation of them.\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)   i\n\x0cAssessment of Scope and Sufficiency\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs adequately encompassed in\nscope and sufficiency the eight FISMA requirements referenced in the Act.\n\nResults of Contractor Information Security Program Evaluations\n\nThe results of the contractor information security program evaluations are presented in terms of\ngaps.\n\nAt the 10 contractors in FY 2012, which covered all MACs, fiscal intermediaries, and carriers,\nPwC identified a total of 159 gaps, which it consolidated into 121 findings. The number of gaps\nincreased by 45 percent when compared with the results for those 10 contractors in FY 2011\nbecause of the expansion of testing in FY 2012.\n\nThe number of gaps per contractor in FY 2012 ranged from 11 to 22 and averaged 16. The most\ngaps occurred in the following FISMA control areas: policies and procedures to reduce risk (44\ngaps at 10 contractors); periodic testing of information security controls (44 gaps at 10\ncontractors); incident detection, reporting, and response (24 gaps at 10 contractors); system\nsecurity plans (15 gaps at 8 contractors); and continuity of operations for information technology\nsystems (14 gaps at 8 contractors).\n\nThe contractors are responsible for developing a corrective action plan for each finding. CMS is\nresponsible for tracking each finding until it is remediated.\n\nCONCLUSION\n\nThe scope of the work and sufficiency of documentation for all reported gaps were sufficient for\nthe 10 Medicare contractors reviewed by PwC. The total number of gaps identified at the\nMedicare contractors increased from the previous year because of new and expanded testing\nduring the FY 2012 evaluations. Deficiencies remain in the FISMA control areas tested. CMS\nshould ensure that all gaps are remediated by the Medicare contractors.\n\nCENTERS FOR MEDICARE & MEDICAID SERVICES COMMENTS\n\nCMS said it had \xe2\x80\x9cno comment on the draft report.\xe2\x80\x9d\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)   ii\n\x0c                                                     TABLE OF CONTENTS\n\n\nINTRODUCTION ...........................................................................................................................1\n\n          Why We Did This Review ...................................................................................................1\n\n          Objectives ............................................................................................................................1\n\n          Background ..........................................................................................................................1\n                The Medicare Program ............................................................................................1\n                Medicare Prescription Drug, Improvement, and Modernization Act of 2003 .........1\n                CMS Evaluation Process for Fiscal Year 2012........................................................2\n\n          How We Conducted This Review........................................................................................3\n\nFINDINGS             ..................................................................................................................................3\n\n          Assessment of Scope and Sufficiency .................................................................................3\n\n          Results of Medicare Contractor Information Security Program Evaluations ......................3\n                 Policies and Procedures To Reduce Risk.................................................................5\n                 Periodic Testing of Information Security Controls ..................................................5\n                 Incident Detection, Reporting, and Response ..........................................................6\n                 System Security Plans ..............................................................................................7\n                 Continuity of Operations for Information Technology Systems .............................7\n\nCONCLUSION ................................................................................................................................8\n\nCMS COMMENTS .........................................................................................................................8\n\nAPPENDIXES\n\n          A: Audit Scope and Methodology ......................................................................................9\n\n          B: List of Gaps by Federal Information Security Management Act of 2002\n              Control Area and Medicare Contractor......................................................................10\n\n          C: Percentage Change in Gaps per Medicare Contractor ................................................11\n\n          D: Results of Medicare Contractor Evaluations for Federal Information\n               Security Management Act of 2002 Control Areas with the Greatest\n               Number of Gaps ......................................................................................................12\n\n          E: CMS Comments ..........................................................................................................17\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)                                                   iii\n\x0c                                              INTRODUCTION\n\nWHY WE DID THIS REVIEW\n\nThe Medicare Prescription Drug, Improvement, and Modernization Act of 2003 (MMA) requires\nthat each Medicare contractor have its information security program evaluated annually by an\nindependent entity. These evaluations must address the eight major requirements enumerated in\nthe Federal Information Security Management Act of 2002 (FISMA). The Social Security Act\n(the Act) also requires evaluations of the information security controls for a subset of systems\nbut does not specify the criteria for these evaluations. The Inspector General, Department of\nHealth and Human Services, must submit to Congress annual reports on the results of these\nevaluations, to include assessments of their scope and sufficiency. This report fulfills that\nresponsibility for fiscal year (FY) 2012.\n\nOBJECTIVES\n\nOur objectives were to assess the scope and sufficiency of Medicare contractor information\nsecurity program evaluations and report the results of those evaluations.\n\nBACKGROUND\n\nThe Medicare Program\n\nThe Centers for Medicare & Medicaid Services (CMS) administers Medicare. Medicare is a\nhealth insurance program for people aged 65 or older, people under age 65 with certain\ndisabilities, and people of all ages with end-stage renal disease. In FY 2012, Medicare paid\napproximately $478 billion on behalf of more than 50 million Medicare beneficiaries. CMS\ncontracts with Medicare Administrative Contractors (MACs), fiscal intermediaries, and carriers\nto administer Medicare benefits paid on a fee-for-service basis. In FY 2012, 10 distinct entities\nserved as MACs, fiscal intermediaries, and carriers for Medicare Parts A and B to process and\npay Medicare fee-for-service claims. 1\n\nMedicare Prescription Drug, Improvement, and Modernization Act of 2003\n\nThe MMA added information security requirements for MACs, fiscal intermediaries, and carriers\nto section 1874A of the Act. 2 (See 42 U.S.C. \xc2\xa7 1395kk-1.) Each MAC, fiscal intermediary, and\ncarrier must have its information security program evaluated annually by an independent entity\n(the Act \xc2\xa7 1874A(e)(2)(A)). This section requires that these evaluations address the eight major\nrequirements enumerated in the FISMA. (See 44 U.S.C. \xc2\xa7 3544(b).) These requirements,\nreferred to as \xe2\x80\x9cFISMA control areas\xe2\x80\x9d in this report, are:\n\n\n1\n    In FY 2011, there were 11 Medicare contractors. One contractor left the Medicare program during FY 2012.\n2\n The MMA contracting reform provisions added to section 1874A of the Act replace existing fiscal intermediaries\nand carriers with MACs, which are competitively selected. Until all MACs are in place, the requirements of\nsection 1874A also apply to fiscal intermediaries and carriers.\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)                1\n\x0c        1. periodic risk assessments;\n\n        2. policies and procedures to reduce risk;\n\n        3. system security plans;\n\n        4. security awareness training;\n\n        5. periodic testing of information security controls;\n\n        6. remedial actions;\n\n        7. incident detection, reporting, and response; and\n\n        8. continuity of operations for information technology (IT) systems.\n\nSection 1874A(e)(2)(A)(ii) of the Act requires that the effectiveness of information security\ncontrols be tested for an appropriate subset of Medicare contractors\xe2\x80\x99 information systems.\nHowever, this section does not specify the criteria for evaluating these security controls.\n\nAdditionally, section 1874A(e)(2)(C)(ii) of the Act requires us to submit to Congress annual\nreports on the results of such evaluations, including assessments of their scope and sufficiency.\n\nCMS Evaluation Process for Fiscal Year 2012\n\nCMS developed agreed-upon procedures (AUP) for the program evaluation on the basis of the\nrequirements of section 1874A(e)(1) of the Act, FISMA, information security policy and\nguidance from the Office of Management and Budget and the National Institute of Standards and\nTechnology (NIST), and the Government Accountability Office\xe2\x80\x99s (GAO) Federal Information\nSystems Controls Audit Manual (FISCAM). In FY 2012, the independent auditors,\nPricewaterhouseCoopers (PwC), under contract with CMS, used the AUPs to evaluate the\ninformation security programs at the 10 entities that served as MACs, fiscal intermediaries, and\ncarriers. Many of the entities had multiple contracts with CMS to fulfill their responsibilities as\nMedicare fiscal intermediaries, carriers, Medicare Parts A and B MACs, and Durable Medical\nEquipment MACs. As a result, PwC issued separate reports for 18 MACs, fiscal intermediaries,\nand carriers.\n\nTo comply with the section 1874A(e)(2)(A)(ii) requirement to test the effectiveness of\ninformation security controls for an appropriate subset of contractors\xe2\x80\x99 information systems, CMS\nincluded in the scope of its AUP evaluations testing of segments of the Medicare claims\nprocessing systems hosted at the Medicare data centers, which support each of the MACs, fiscal\nintermediaries, and carriers. Medicare data centers are used for \xe2\x80\x9cfront-end\xe2\x80\x9d preprocessing of\nclaims received from providers and \xe2\x80\x9cback-end\xe2\x80\x9d issuing of payments to providers after claims\nhave been adjudicated. PwC performed additional testing to eliminate the need to contract with\nanother entity to perform the assessments that had been performed in previous years at the data\ncenters of the MACs, fiscal intermediaries, and carriers.\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)   2\n\x0cThe results of the contractor information security program evaluations are presented in terms of\ngaps or findings, which are defined as differences between FISMA or CMS core security\nrequirements and the contractor\xe2\x80\x99s implementation of the requirements. In some instances, PwC\ndetermined that gaps involving the contractor\xe2\x80\x99s internal control and its operations did not rise to\nthe level of a finding, so they were noted as an observation and no corrective action plan was\nrequired. PwC assigned impact levels and risk ratings to each of the findings. The contractors\nare responsible for developing a corrective action plan for each finding, and CMS is responsible\nfor tracking all corrective action plans and ensuring that the findings are remediated.\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe evaluated the FY 2012 results of the independent evaluations of the Medicare contractors\xe2\x80\x99\ninformation security programs. Our review did not include an evaluation of internal controls.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards, except that we did not obtain comments from PwC. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\nAppendix A contains the details of our audit scope and methodology.\n\n                                               FINDINGS\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs were adequate in scope and\nwere sufficient. PwC reported a total of 159 gaps at the 10 Medicare contractors, which resulted\nin 121 findings and 38 observations.\n\nASSESSMENT OF SCOPE AND SUFFICIENCY\n\nPwC\xe2\x80\x99s evaluations of the contractor information security programs adequately encompassed in\nscope and sufficiency the eight FISMA requirements referenced in section 1874A(e)(1) of the\nAct.\n\nRESULTS OF MEDICARE CONTRACTOR INFORMATION SECURITY PROGRAM\nEVALUATIONS\n\nAs shown in Table 1, PwC identified a total of 159 gaps at the 10 Medicare contractors. The\nnumber of gaps per contractor ranged from 11 to 22 and averaged 16. See Appendix B for a list\nof gaps per control area by contractor.\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)    3\n\x0c                            Table 1: Range of Medicare Contractor Gaps 3\n                                                      Number of Contractors With\n                   Number of          Total        0    1-5      6\xe2\x80\x9310    11-15   16+\n           FY      Contractors        Gaps        Gaps Gap(s) Gaps       Gaps    Gaps\n          2011         10              110         0     1         3       5      1\n          2012         10              159         0     0         0       5      5\n\nThe total number of gaps reported for the 10 Medicare contractors that PwC evaluated in both\nFY 2011 and FY 2012 increased by 45 percent in FY 2012 (from 110 in FY 2011 to 159 in\nFY 2012). The increase in the number of gaps was due to the addition of four test procedures\nand the expansion of eight test procedures, as required by CMS. The number of contractors with\n0 to 10 gaps decreased by 4, and the number of contractors with 16 or more gaps increased by 4.\nOnly one contractor had fewer gaps in FY 2012, and eight contractors had more gaps. See\nAppendix C for the FY 2011 to FY 2012 percentage change in gaps per Medicare contractor.\n\nTable 2 summarizes the gaps found in each FISMA control area in FYs 2011 and 2012. All 8\nFISMA control areas had an increase in gaps for FY 2012, with an increase of 2 to 13 gaps.\n\nTable 2: Gaps by Federal Information Security Management Act Control Area in FY 20123\n                                                                                         No. of Contractors\n                                                       No. of Gaps Identified            With One or More\n                     FISMA                                                                     Gap(s)\n                  Control Area                          FY 2011          FY 2012         FY 2011 FY 2012\n    Periodic risk assessments                              0                 4              0           3\n    Policies and procedures to reduce risk                37                44             10          10\n    System security plans                                 12                15              6           8\n    Security awareness training                            3                 9              3           5\n    Periodic testing of information security\n                                                            31                44             10             10\n    controls\n    Remedial actions                                         3                 5              3             5\n    Incident detection, reporting, and\n                                                            15                24             10             10\n    response\n    Continuity of operations for IT systems                 9                 14              7             8\n     Total                                                110                159\n\nThe Medicare contractor information security program evaluations covered several subcategories\nwithin each FISMA control area. Individual findings were assigned an overall risk level on a\nsubjective basis by PwC after considering the impact to CMS and likelihood of occurrence.\n\n\n\n3\n The comparisons in Tables 1 and 2 and throughout the discussion that follows are limited to the 10 contractors that\nPwC evaluated in both FY 2011 and FY 2012. (For FY 2011, PwC reported a total of 127 gaps at the 11 Medicare\ncontractors then in place.)\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)                 4\n\x0cThe following sections discuss the five FISMA control areas containing the most gaps. See\nAppendix D for descriptions of each subcategory tested for the five control areas.\n\nPolicies and Procedures To Reduce Risk\n\nAccording to NIST Special Publication (SP) 800-53, Recommended Security Controls for\nFederal Information Systems and Organizations:\n\n         \xe2\x80\xa6 the management of risk is a key element in the organization\xe2\x80\x99s information\n         security program and provides an effective framework for selecting the\n         appropriate security controls for an information system\xe2\x80\x94the security controls\n         necessary to protect individuals and the operations and assets of the organization.\n         The risk-based approach to security control selection and specification considers\n         effectiveness, efficiency, and constraints taking into account applicable federal\n         laws, Executive orders, directives, policies, regulations, standards, or guidelines.\n\nAll 10 Medicare contractors had from 2 to 6 gaps each related to policies and procedures to\nreduce risk. In total, PwC identified 44 gaps in this area. Following are examples of gaps in\npolicies and procedures to reduce risk:\n\n    \xe2\x80\xa2    System configuration checklists did not comply with CMS requirements.\n\n    \xe2\x80\xa2    Systems operating in the contractor\xe2\x80\x99s environment did not have the latest patches 4\n         installed.\n\n    \xe2\x80\xa2    Malicious software protection procedures and mechanisms were not fully configured in a\n         manner consistent with CMS requirements.\n\nIneffective policies and procedures to reduce risk could jeopardize an organization\xe2\x80\x99s mission,\ninformation, and IT assets. Without adequate configuration standards and the latest security\npatches, systems may be susceptible to exploitation that could lead to unauthorized disclosure of\ndata, data modification, or the unavailability of data.\n\nPeriodic Testing of Information Security Controls\n\nThe effectiveness of information security policies, procedures, practices, and controls should be\ntested and evaluated at least annually (NIST SP 800-53, Control CA-2). Security testing enables\norganizations to measure levels of compliance in areas such as patch management, password\npolicy, and configuration management (NIST SP 800-115, Technical Guide to Information\nSecurity Testing and Assessment, section 2.3). Changes to an application should be tested and\napproved before being put into production (FISCAM, section 3.3).\n\nAll 10 Medicare contractors had from 4 to 5 gaps each related to periodic testing of information\nsecurity controls. In total, 44 gaps were identified in this area.\n4\n  A patch is a piece of software designed to correct security and functionality problems in software programs and\nfirmware.\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)                  5\n\x0cFollowing are examples of gaps in periodic testing of information security controls:\n\n    \xe2\x80\xa2   The contractor\xe2\x80\x99s system inventory process had not been implemented in accordance with\n        CMS requirements. A complete and accurate listing of systems and devices supporting\n        Medicare claims processing was not maintained.\n\n    \xe2\x80\xa2   The contractor\xe2\x80\x99s system security configurations did not comply with CMS requirements.\n\n    \xe2\x80\xa2   Security weaknesses were found by internal network penetration testing.\n\nWithout a comprehensive program for periodically testing and monitoring information security\ncontrols, management has no assurance that appropriate safeguards are in place to mitigate\nidentified risks.\n\nIncident Detection, Reporting, and Response\n\nThe Executive Summary of NIST SP 800-61, Computer Security Incident Handling Guide, states\nthat:\n        Computer security incident response has become an important component of\n        information technology programs. Security-related threats have become not only\n        more numerous and diverse but also more damaging and disruptive. New types of\n        security-related incidents emerge frequently. Preventative activities based on the\n        results of risk assessments can lower the number of incidents, but not all incidents\n        can be prevented. An incident response capability is therefore necessary for\n        rapidly detecting incidents, minimizing loss and destruction, mitigating any\n        weaknesses that were exploited, and restoring computing services\xe2\x80\xa6.\n\nAll 10 Medicare contractors had 1 to 4 gaps related to incident detection, reporting, and\nresponse. In total, PwC identified 24 gaps in this area. Following are examples of gaps in\nincident detection, reporting, and response:\n\n    \xe2\x80\xa2   The log review policies and procedures and log review process did not comply with CMS\n        requirements.\n\n    \xe2\x80\xa2   A process was not in place to report scans of the network to CMS in accordance with\n        CMS requirements.\n\n    \xe2\x80\xa2   Personally identifiable information and protected health information incidents were not\n        reported to CMS in accordance with CMS requirements.\n\nKeeping the number of incidents reasonably low is very important to protect the business\nprocesses of the organization. If security controls are insufficient, high volumes of incidents\nmay occur, which could overwhelm the incident response team. This could lead to slow and\nincomplete responses and negative business effects (e.g., extensive damage to computer systems,\nperiods without computer service, and periods when data are unavailable).\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)   6\n\x0cSystem Security Plans\n\nAn agency should ensure its information security policy is sufficiently current to accommodate\nthe information security environment and the agency mission and operational requirements\n(NIST SP 800-100, Information Security Handbook: A Guide for Managers, section 2.2.5).\nOrganizations must screen employees before granting access to information and information\nsystems (NIST SP 800-53, Control PS-3); they should revoke system access immediately\nfollowing an employee termination (NIST SP 800-53, Control PS-4); and develop system\nsecurity plans to provide an overview of the security requirements of the system and describe the\ncontrols in place or planned for meeting those requirements (Executive Summary of NIST SP\n800-18, Guide for Developing Security Plans for Federal Information Systems).\n\nTwo of the ten Medicare contractors had no identified gaps related to system security plans,\nwhile the remaining 8 had from 1 to 2 gaps each. In total, PwC identified 15 gaps in this area.\n\nFollowing are examples of gaps in system security plans:\n\n    \xe2\x80\xa2   New hires did not complete the necessary contractor\xe2\x80\x99s requirements before being granted\n        systems access.\n\n    \xe2\x80\xa2   System access for terminated users was not removed within the contractor-required\n        timeframe.\n\n    \xe2\x80\xa2   The contractor\xe2\x80\x99s system security plan did not identify a complete list of platforms that\n        supports Medicare operations.\n\nIf information security program requirements are not implemented and enforced, management\nhas no assurance that established system security controls will be effective in protecting valuable\nassets, such as information, hardware, software, systems, and related technology assets that\nsupport the organization\xe2\x80\x99s critical missions.\n\nContinuity of Operations for Information Technology Systems\n\nAccording to NIST SP 800-34, Contingency Planning Guide for Federal Information Systems,\nsection 2.2, \xe2\x80\x9ccontingency planning represents a broad scope of activities designed to sustain and\nrecover critical IT services following an emergency.\xe2\x80\x9d Contingency planning for information\nsystems is part of an overall organizational program for achieving continuity of operations for\nbusiness operations. Physical security controls and media disposal were also included in the\nscope of PwC\xe2\x80\x99s testing in this area.\n\nTwo of the ten Medicare contractors had no identified gaps in continuity of operations for IT\nsystems, while the remaining 8 had 1 to 4 gaps each. In total, PwC identified 14 gaps in this\narea. Following are examples of gaps in continuity of operations planning:\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)   7\n\x0c    \xe2\x80\xa2   The media disposal process did not meet CMS requirements.\n\n    \xe2\x80\xa2   Contingency plan personnel did not receive contingency plan training within the past year.\n\n    \xe2\x80\xa2   Procedures for performing backups were not documented in a manner consistent with\n        CMS requirements.\n\nIf contingency planning activities are inadequate, even relatively minor interruptions of service\ncan result in lost or incorrectly processed data, which can cause harm to beneficiaries, financial\nlosses, expensive recovery efforts, and inaccurate or incomplete financial or management\ninformation.\n\n                                            CONCLUSION\n\nThe scope of the work and sufficiency of documentation for all reported gaps were sufficient for\nthe 10 Medicare contractors reviewed by PwC. The total number of gaps identified at the\nMedicare contractors has increased from FY 2011, and deficiencies remain in the FISMA control\nareas tested. CMS should ensure that all gaps are remediated by the Medicare contractors.\n\n                                          CMS COMMENTS\n\nCMS said it had \xe2\x80\x9cno comment on the draft report.\xe2\x80\x9d We have included CMS\xe2\x80\x99s comments in their\nentirety as Appendix E.\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)   8\n\x0c                    APPENDIX A: AUDIT SCOPE AND METHODOLOGY\n\nSCOPE\n\nWe evaluated the FY 2012 results of the independent evaluations of Medicare contractors\xe2\x80\x99\ninformation security programs. Our review did not include an evaluation of internal controls.\nWe performed our reviews of PwC working papers at CMS headquarters in Baltimore,\nMaryland, and at Office of Inspector General regional offices from October 2013 through\nJanuary 2014.\n\nMETHODOLOGY\n\nTo accomplish our objectives, we performed the following steps:\n\n        \xe2\x80\xa2   To assess the scope of the evaluations of contractor information security programs,\n            we determined whether the AUPs included the eight FISMA control requirements\n            enumerated in section 1874A(e)(1) of the Act.\n\n        \xe2\x80\xa2   To assess the sufficiency of the evaluations of contractor information security\n            programs, we reviewed PwC working papers supporting the evaluation reports to\n            determine whether PwC sufficiently addressed all areas required by the AUPs. We\n            also determined whether all security-related weaknesses were included in the PwC\n            reports by comparing supporting documentation with the reports. We determined\n            whether all findings in the PwC reports were adequately supported by comparing the\n            reports with the PwC working papers.\n\n        \xe2\x80\xa2   To report on the results of the evaluations, we aggregated the results in the individual\n            contractor evaluation reports. For the PwC evaluations, we used the number of gaps\n            listed in the individual contractor evaluation reports to aggregate the results.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards, except that we did not obtain comments from PwC. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate evidence to provide a\nreasonable basis for our findings and conclusions based on our audit objectives. We believe that\nthe evidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives.\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)   9\n\x0c                                   APPENDIX B: LIST OF GAPS BY\n                      FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n                            CONTROL AREA AND MEDICARE CONTRACTOR\n\n                                                Control Areas (With Impact Levels)\n\n                            Policies                                 Periodic                  Incident       Continuity\n                              and                                   Testing of                Detection,          of\n              Periodic     Procedures    System        Security    Information                Reporting,      Operations\nMedicare        Risk       To Reduce     Security     Awareness      Security     Remedial       and            for IT     Total\nContractor   Assessments      Risk        Plans        Training      Controls      Actions    Response         Systems     Gaps\n    1             0            5            1             0             5             0            1              4         16\n    2             0            4            2             3             5             1            3              1         19\n    3             0            2            2             0             5             0            2              1         12\n    4             1            6            2             0             5             1            4              3         22\n    5             1            4            0             0             4             0            2              0         11\n    6             2            6            2             1             4             1            3              2         21\n    7             0            5            2             2             4             0            3              1         17\n    8             0            4            2             1             4             1            2              1         15\n    9             0            4            0             0             4             1            2              1         12\n   10             0            4            2             2             4             0            2              0         14\n  Total           4           44           15             9            44             5           24             14        159\n\n\n\n\n         Review of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)           10\n\x0cAPPENDIX C: PERCENTAGE CHANGE IN GAPS PER MEDICARE CONTRACTOR\n\nContractor                  FY 2011 Gaps                       FY 2012 Gaps                 % Change\n      1                          9                                  16                        78%\n      2                         14                                  19                         36\n      3                         12                                  12                          0\n      4                         16                                  22                         38\n      5                          5                                  11                        120\n      6                         11                                  21                         91\n      7                          9                                  17                         89\n      8                         12                                  15                         25\n      9                         13                                  12                         (8)\n     10                          9                                  14                         56\n    Total                      110                                 159                       45%\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)     11\n\x0c      APPENDIX D: RESULTS OF MEDICARE CONTRACTOR EVALUATIONS\n      FOR FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002\n          CONTROL AREAS WITH THE GREATEST NUMBER OF GAPS\n\nPOLICIES AND PROCEDURES TO REDUCE RISK\n\nThe Medicare contractor information security program evaluations assessed eight subcategories\nrelated to policies and procedures to reduce risk. The evaluation reports identified a total of 44\ngaps in this FISMA control area.\n\n                   Table 1: Gaps in Policies and Procedures To Reduce Risk\n                                                                              Total No. of Gaps\n                                        Subcategory                             in This Area\n                    Systems security controls have been tested and\n                    evaluated. The system and network boundaries\n                    have been subjected to periodic reviews or audits.\n                    Management reports for review and testing of IT\n            1       security policies and procedures, including                         2\n                    network risk assessment, accreditations and\n                    certifications, internal and external audits and\n                    security reviews, and penetration and\n                    vulnerability assessments exist.\n                    All gaps in compliance per CMS\xe2\x80\x99s minimum\n            2       security requirements are identified in the results                 0\n                    of management\xe2\x80\x99s compliance checklist.\n                    Security policies and procedures include controls\n            3                                                                           5\n                    to address platform security configurations.\n                    Security policies and procedures include controls\n            4                                                                           9\n                    to address patch management.\n                    The latest patches have been installed on\n            5                                                                           8\n                    contractor\xe2\x80\x99s systems.\n                    Security settings are included within internal\n            6       checklists and comply with Defense Information                     10\n                    Systems Agency standards.\n                    Malicious software protection mechanisms have\n                    been installed on workstations and laptops, are\n            7       up to date, and are operating effectively, and                     10\n                    administrators are alerted of any malicious\n                    software identified on workstations and laptops.\n                    The network is logically separated between test,\n            8                                                                           0\n                    development, and production networks.\n                     Total                                                             44\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)   12\n\x0cPERIODIC TESTING OF INFORMATION SECURITY CONTROLS\n\nThe Medicare contractor information security program evaluations covered six subcategories\nrelated to the periodic testing of information security controls. The evaluation reports identified\na total of 44 gaps in this FISMA control area.\n\n                Table 2: Gaps in Periodic Testing of Information Security Controls\n                                                                              Total No. of Gaps\n                                       Subcategory                              in This Area\n                    Annual reviews and audits are conducted to\n                    evaluate compliance with FISMA guidance from\n            1       the Office of Management and Budget for                            10\n                    reviews of IT security controls, including\n                    platform configuration standards.\n            2       Change control management procedures exist.                          0\n                    Change control procedures are tested by\n            3                                                                            4\n                    management to make certain they are in use.\n                    Systems are configured according to the\n            4       contractor\xe2\x80\x99s documented security configuration                     10\n                    checklists.\n                    Weaknesses are identified by PwC during a\n            5                                                                          10\n                    network attack and penetration test.\n                    A formally maintained system component\n            6                                                                          10\n                    inventory is up to date and accurate.\n                     Total                                                             44\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)   13\n\x0cINCIDENT DETECTION, REPORTING, AND RESPONSE\n\nThe Medicare contractor information security program evaluations assessed four subcategories\nrelated to incident detection, reporting, and response. The evaluation reports identified a total of\n24 gaps in this FISMA control area.\n\n                 Table 3: Gaps in Incident Detection, Reporting, and Response\n                                                                              Total No. of Gaps\n                                       Subcategory                              in This Area\n                    Management has a process to monitor systems\n            1       and networks for unusual activity and intrusion                     5\n                    attempts.\n                    Management has procedures to take and has taken\n                    action in response to unusual activity; intrusion\n            2                                                                           4\n                    attempts; and actual intrusions, including\n                    reporting.\n                    Management incident response processes and\n            3       procedures are documented in accordance with                        5\n                    CMS requirements.\n                    Log review procedures have been developed for\n                    specific platforms, log reviews were completed\n            4                                                                          10\n                    per procedures, and intrusion detection systems\n                    have been properly placed and configured.\n                     Total                                                             24\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)   14\n\x0cSYSTEM SECURITY PLANS\n\nThe Medicare contractor information security program evaluations assessed six subcategories\nrelated to system security plans. The evaluation reports identified a total of 15 gaps in this\nFISMA control area.\n\n                               Table 4: Gaps in System Security Plan\n                                                                              Total No. of Gaps\n                                       Subcategory                              in This Area\n            1      A security plan is documented and approved.                          0\n            2      The security plan is kept current.                                   6\n                   A security management structure has been\n            3      established and criticality and sensitivity risk                       0\n                   designations have been assigned to positions.\n                   Hiring, transfer, and termination policies address\n            4                                                                             7\n                   security.\n            5      Employee background checks are performed.                              1\n                   Management has documented that it periodically\n            6      assesses the appropriateness of security policies                      1\n                   and compliance with them.\n                    Total                                                               15\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)   15\n\x0cCONTINUITY OF OPERATIONS FOR IT SYSTEMS\n\nThe Medicare contractor information security program evaluations assessed 10 subcategories\nrelated to continuity of operations for IT systems. The evaluation reports identified a total of 14\ngaps in this FISMA control area.\n\n                   Table 5: Gaps in Continuity of Operations for IT Systems\n                                                                    Total No. of Gaps\n                                      Subcategory                     in This Area\n                   Critical data and operations are formally\n            1      identified and prioritized. Emergency                       0\n                   processing priorities are established.\n                   Data and program backup procedures have been\n            2                                                                  2\n                   implemented.\n                   Adequate environmental controls have been\n            3      implemented. Physical security controls exist to            0\n                   protect IT resources.\n            4       Staff has been trained to respond to emergencies.                      3\n                    The organization manages maintenance\n            5                                                                              2\n                    activities.\n                    Policies and procedures for disposal of data and\n            6       equipment exist and include applicable Federal                         7\n                    security and privacy requirements.\n            7       An up-to-date contingency plan is documented.                          0\n                    Arrangements have been made for alternate data\n            8                                                                              0\n                    processing and telecommunications facilities.\n            9       The contingency plan is periodically tested.                           0\n                    Contingency plan test results are analyzed and\n           10                                                                              0\n                    contingency plans adjusted accordingly.\n                     Total                                                               14\n\n\n\n\nReview of Medicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-30100)   16\n\x0c                                          APPENDIX E: CMS COMMENTS \n\n\n\n  /   ....'1\xc2\xab#-..\n\n ( t6                DEPARTMENT OF HEALTH & HUMAN SERVICES                                 Centers for Medicare & Medicaid Services\n\n\n  ,'5~                                                                                     Administrator\n                                                                                           Washing1on , DC 20201\n\n\n\n\n                    DATE:            JUN 16   201~\n\n                    TO: \t         Danie l R. Levi nson\n                            ~~~~tor Ge~eral\n                    FROM:        \xc2\xb7l~er\n                                  A~8-\n                    SUBJECT: \t Office of Inspector General OIG Draft Re port: Review of Medicare Contrac to r\n                               Information Security Program Evaluations for Fiscal Year 20 12 (A- 18- 14-30 I 00)\n\n                    The Centers for Medicare & Medicaid Services (C MS) thanks OIG for the opportunity to review\n                    and comment on the above-subject draft report. The objective of this study was to assess the\n                    sco pe and sufficiency of Medicare contractor information security program evaluations and\n                    report the results. At this time, C MS has no comment on the draft report.\n\n                    The CMS thanks OIG for their efforts on this issue and looks forward to working with OIG on\n                    this and other issues in the future.\n\n\n\n\nReview ofMedicare Contractor Information Security Program Evaluations for FY 2012 (A-18-14-301 00)                                    17\n\x0c"